Friday, February 6, 2015

iOS Passcode Recovery with iPhone Data Protection Tools (Using Yosemite)

Shameless plug: During the first half of this year I will be teaching the 6-day SANS SEC575 training, "SEC575: Mobile Device Security and Ethical Hacking", in Amsterdam, Netherlands (May 11-16, 2015), Madrid, Spain (May 25-30, 2015 in Spanish), and London, UK (July 13-18, 2015).

UPDATE: Xcode 6.2 (March 9, 2015).

Since the early days when the SANS "SEC575: Mobile Device Security and Ethical Hacking" class made its debut around May 2012, Joshua Wright, the SEC575 author, included details for the iPhone Data Protection Tools presented at HITB 2011 in Amsterdam.

We cover this toolset in SEC575 during the "Mitigating the Stolen (or Lost) Device Thread" section on day 2. We like not only covering the tool internals, but are used to run a live demo in class showing attendees how the tool works and how easy it is to obtain a 4-digit passcode in a few minutes without leaving any significant trace on the mobile device. I particularly love to run the live demo and go deeper into the technical details about how the built-in iOS full device encryption and data protection is implemented, the impact of firmware/hardware vulnerabilities (such as the bootrom vulnerability leveraged by the by limera1n's exploitation process), the importance of software and hardware security updates, and how the full keychain contents can be decrypted once the passcode is obtained, exposing multiple sensitive user credentials. Although this particular attack (based on limera1n) can only be launched against Apple devices up to the iPhone 4 and the iPad 1 (using the vulnerable Apple A4 SoC), it can be used to emphasize the attack possibilities and impact of future similar vulnerabilities in other modern Apple devices.

Definitely, running this kind of impressive attack demos in front of C-level executives really help to make the point and create individual users, and corporate, awareness regarding the risks of using 4-digit passcodes, or leaving mobile devices unattended for a few minutes (due to an urgent phone call or meeting, etc) or more (a tablet left in a hotel room during dinner, etc). For this reason, apart from covering the attack details and running the demo in class, in order for the attendees to be able to reproduce it, the SEC575 DVD contains a thorough step-by-step guide describing how to prepare your OS X pen-testing system to launch the attack. Originally, the guide was available for OS X Lion (10.7) and we updated it for OS X Mountain Lion (10.8) a few months later. 

However, due to the fact this is an "old" attack, one of the most challenging tasks over the years is making it work with the latest operating system versions, libraries and modules, development frameworks and languages, and other required dependencies. For this same reason, I have recently updated the guide for OS X Yosemite (10.10), so that you can demonstrate the attack still today if you are running the latest OS X version, and we are making it public out of the SEC575 realm (perhaps reaching out to potential future SEC575 candidates):
This new version of the guide was tested under OS X Yosemite (10.10.1), the associated official Xcode version (6.1.1) and using a couple of target mobile devices, an iPad 1 (running iOS 5.1.1) and an iPhone 4 (running iOS 7.0.4).
Is Your Xcode Environment Vulnerable?

UPDATE: Finally, on March 9, 2015, Apple released Xcode 6.2 fixing the following Git vulnerability (CVE-2014-9390) after more than two and a half months. The new default Git version is "1.9.5 (Apple Git-50.3)".

On December 18, 2014, a vulnerability in Git was released (CVE-2014-9390; in reality this CVE includes three vulnerabilities), affecting multiple Git versions both for Windows and Mac OS X Git clients. It allows remote code execution by rewriting the contents of the ".git" directory, such as the "config" file or the "hooks" sub-directory, for example, through "git pull" or "git checkout" operations. Microsoft released patches for their different Git implementations, GitHub also updated their GitHub for Windows and GitHub for Mac clients, and Apple addressed it in Xcode 6.2 beta 3.

On early January 2015 a Metasploit module was released to exploit this specific vulnerability through an HTTP server designed to simulate a Git repository.

If you are an Apple developer, I expect you to update your Xcode environment frequently to be able to benefit and test the latest features, including the iOS 8.2 SDK with WatchKit support (for Apple Watch) in Xcode 6.2 beta versions. But if you are a security professional and use Xcode for security testing, for tasks like the ones described in this blog post, your Xcode environment might be vulnerable.

At the time of this writing, end of January 2015, the latest official Xcode version available through the App Store is Xcode 6.1.1 (released on Dec 02, 2014). This Xcode version still uses Git v1.9.3 and it is still vulnerable (for almost one and a half months) to CVE-2014-9390:

$ git --version
git version 1.9.3 (Apple Git-50)

In order to install Xcode 6.2 beta 3 (or later beta versions) you need to manually download Xcode using a free (or paid) Apple developer account, and proceed with the installation. The Xcode beta version goes into "/Applications/" (vs. the default "/Applications/" directory). However, even when the beta version has been installed, the Xcode command-line tools (of which Git is part of) will still use the official Xcode version. To switch between the different versions of the Xcode command-line tools, you need use the xcode-select tool (as root):

$ git --version
git version 1.9.3 (Apple Git-50)

$ xcode-select -p

$ sudo xcode-select --switch /Applications/
$ xcode-select -p

$ sudo xcodebuild -license
$ git --version
git version 1.9.5 (Apple Git-50.3)

Therefore, the Git version for Xcode 6.2 beta 4 is 1.9.5, not vulnerable to CVE-2014-9390. Time to update your Xcode version!

No comments :

Post a Comment